Manage privileged objects in CyberArk PAM - Self-Hosted

CyberArk Identity supports managing privileged accounts and objects in CyberArk Privileged Access Manager - Self-Hosted. This topic describes how to configure CyberArk Identity to authenticate to PAM - Self-Hosted REST APIs. These APIs can leverage the CyberArk Identity System for Cross-domain Identity Management (SCIM) server to manage objects in PAM - Self-Hosted.

SCIM endpoints facilitate the integration of IGA platforms that comply with SCIM clients, such as SailPoint, to simplify and automate the lifecycle management of privileged accounts. SCIM uses CyberArk Password Vault Web Access (PVWA) to manage objects in PAM - Self-Hosted without requiring a VPN connection.

The CyberArk OIDC Trust app that was used for this integration in previous releases has been deprecated. Do not attempt to use it. It will be removed from the Identity Administration portal in a future release.

Before you begin

When integrating PAM - Self-Hostedwith a third-party IGA application, start by performing the steps in Set up SCIM for PAM - Self-Hosted. When you reach step 2-2, return to this topic to configure CyberArk Identity.

When you configure the SCIM server, make sure you include an OAuth2 Client app to access the SCIM server with the scope scim*. This is described in Configure the SCIM server

Before you configure CyberArk Identity, you need the following:

  • PAM - Self-Hosted Vault updated to version 12.1 or later

  • PVWA (Password Vault Web Access) component in PAM - Self-Hosted updated to version 12.2 or later
  • URL for the PAM - Self-Hosted instance (not the PVWA sign-in URL)

  • CyberArk Identity Connector version 21.7 or later with the API Proxy Service enabled. This enables CyberArk Identity to invoke the corresponding PAM - Self-Hosted REST APIs through the secure, VPN-less tunnel. See Install the CyberArk Identity Connector for more information.

Additional licenses are required to enable this feature. Contact your CyberArk Account Representative for more information.
  • Do not use the following characters in usernames when integrating with PAM - Self-Hosted:

    Unsupported characters for usernames




    question mark


    less than


    greater than




    double quotation mark


    forward slash



Configure CyberArk Identity integration with PAM - Self-Hosted

Step 1: Create a service account for the Vault integration

  1. In the Identity Administration portal, go to Core Services > Users and click Add User.

  2. Enter the name of the service account user in the Login name field. Enter an email address and display name.

  3. Create a password for the service user.

  4. Select Is service user and Is OAuth confidential client.

  5. Click Create User.

Step 2: Create a role for the Vault integration

The service user must have a role with permission to the OAuth2 Client app used to access CyberArk Identity SCIM APIs for the IGA-PAM - Self-Hosted integration. See Configure the SCIM server for more information about configuring CyberArk Identity as a SCIM server and creating the service user.

  1. Go to Core Services > Roles, then click Add Role.

  2. Enter a unique name for the role and click Save.

  3. In the role you just created, go to the Members tab. Click Add and add the identity-privilege-integration-user$ service user.

  4. Go to the Administrative Rights tab and add Vault Management.

  5. Click Save.

Step 3: Configure CyberArk Identity

  1. In the Identity Administration portal, go to Settings > Integration > Vault Configuration.

  2. In the PVWA URL field, enter the URL for the PAM - Self-Hosted instance (not the PVWA sign-in URL).

  3. Select a CyberArk Identity Connector to use with this service. Choose either Any available connector or a specific connector from the list.
  4. Click Save.

Step 4: Configure the Vault

  1. Download the following CyberArk Marketplace scripts to a server that can communicate with PVWA.

    Configuration scripts
    Script Download

    Create SCIM service user

    Identity  and PAS integration configuration

  1. In PowerShell, go to the directory where the scripts are located and run the command to create a SCIM service user:

    .\CreateSCIMServiceUser.ps1 -PVWAUrl <PAS-PVWA-URL>

    where <PAS-PVWA-URL> is the URL for the Password Vault Web Access instance. For example:

  1. When prompted, enter your PAM - Self-Hosted admin credentials.

    The script creates a SCIM service user.

  2. Run the configuration script. In PowerShell, run the following command:

    .\IdentityConfiguration.ps1 -portalUrl <PAS-PVWA-URL> -cyberArkIdentityMetadataUrl <CYBERARK-IDENTITY-METADATA-URL> - cyberArkIdentityClientId __idaptive_cybr_user_oidc

    Command parameters




    URL for PVWA.

    For example:


    Tenant URL in the following format:


    For example:

    cyberArkIdentityClientId __


  1. When prompted, enter your PAM - Self-Hosted admin credentials.

  2. Add identity-privilege-integration-user$ as a Safe member to the Safes that you want to manage with CyberArk Identity. See Add a Safe member for instructions.

  3. Grant Safe permissions to the identity-privilege-integration-user$. Perform the appropriate steps for your environment.

CyberArk Identity configuration is complete.

Step 5: Configure PAM - Self-Hosted to integrate with CyberArk Identity

Return to Set up SCIM for PAM - Self-Hosted to complete the integration.